Mozilla’s “home” JavaScript function
Posted on June 30th, 2008 in JavaScript | 4 Comments »
I came across an interesting bug in someone’s code today. They had an iframe that was dynamically created and it’s url was different depending on whether the variable home was true or not. They had declared home a few lines earlier but the condition was always returning true no matter what. Turns out, there is already a variable of the same name in Mozilla-based browsers. It’s a function that when called, takes you to your home page set in your browser preferences.
I don’t have time to hack around with it at the moment, but I’d imagine that this is a slight security risk. Similar to Jeremiah Grossman’s CSS History Hack that can potentially tell all the sites you’ve visited recently, this one would tell what user’s home pages were set to. Initial thoughts are that this would be hard to do since the only way to call this function without leaving the page is to call it in an iframe (tried it and it works) but iframe sandboxing restrictions prevent code from the parent frame from seeing or accessing the contents of this iframe (or it’s window.location object) since it’s from a different domain. A quick check shows that this function doesn’t exist in Safari or Internet Explorer.
4 Responses
Just another reason why people should namespace their JS. Additionally, back() and forward() are also present in FF.
Nice catch.
Yes, you’re totally right Bryan. This would have been the perfect moment to preach about namespacing your JavaScript!
Independently of the CSS History Hack, I don’t see the issue here. Any attempts to reference the window object or location object of the iframe will result in a “Permission denied” error.
Yeah, I was mostly just surprised that this function exists. I don’t see a good reason for someone to use it, and it just clutters the global namespace offering more potential exploitation, whether it be a software exploit or through social engineering.
If I wanted to make annoying ads, for example, I could have an iframe within an iframe showing your home page, with some additional text stating that your browser is not secure and to download a free cleaner tool, etc. . If you were an average internet user, and you saw your gmail inbox there, you may be alarmed and be dim enough to download my free tool.
Additionally, you could potentially, check sites using the CSS History hack, open up a hidden frame to the user’s homepage, and run the CSS history hack again to see if any sites is in your list. You could open a popup, redirect the current window, and check the window.opener of the popup. You could redirect the user a few seconds after they visited your site to their homepage. They would probably assume they accidentally hit a shortcut key and go back to your site where you can then check the document.referrer. This and many other ideas I’m sure would completely fail, but why take risks with a function no one really uses.